You’ll hear a lot in cybersecurity – and in technology in general – about the necessity of integrations. The more security solutions can communicate back and forth with what they find “in the wild” and how it compares to what’s hitting their actual network, the better positioned an organization is to get ahead of cyber threats. Carbon Black, specifically its product Cb Response, and ThreatConnect ® are a perfect example of how two technologies work together to bring verified indicators identified outside of an organization into that organization for detection and mitigation efforts.

Carbon Black is highly-effective at collecting unfiltered data from endpoints across its network of partners and customers. On the flip side, ThreatConnect collects intelligence via various external (and internal) data sources and combines all this information in one place to allow for in-depth analysis. They’re both data aggregators, but one is looking inwards, and one is looking out. It only makes sense to feed information from one to another to allow for continuous correlation of Indicators of Compromise (IoCs).

Integrating ThreatConnect and Cb Response

The integration between ThreatConnect and Cb Response allows users to take IoCs identified by ThreatConnect that meet a specified Threat Rating and send file hashes and IPs back to Cb Response for action.

You may be wondering, what is a Threat Rating? It’s a term used within the ThreatConnect Platform that is applied to indicators to categorize severity based on several factors as depicted to the right. This puts the control in the user’s hands on which IoCs they’re sending from ThreatConnect to Cb Response.

Sending the IoCs is essentially ThreatConnect saying, “Here is a known bad IoC. Check your endpoints to see if they’ve come across this.” Cb Response will then correlate the intel from ThreatConnect with the data that’s been collected from the endpoints and automatically take action based on if there are any correlations (or hits) found.

This integration allows Cb Response users to instantly hunt for targeted threat indicators they were tracking in ThreatConnect across Cb Response’s extensive network of endpoints. When a hit occurs, the full context of each hit – including associated threats, past observances or incidents, and community insight – is accessible to the analyst via ThreatConnect.

So how do you make the magic happen? It’s simple. Via the Cb Response Threat Intelligence Feeds interface, you are able to integrate the ThreatConnect App to immediately begin receiving relevant IoCs.

Looking Forward: New Carbon Black Playbook Apps in ThreatConnect

By the end of the year, ThreatConnect will have 16 New Carbon Black Playbook Apps that will execute the commands necessary for incident triage and response actions. As seen in the screenshot of the ThreatConnect Playbook Interface below, these are extremely straightforward, and do not require a lot of time to set up.

The above shows just one of the applications that you can potentially add to your Playbooks when the apps become available. The Playbook apps will leverage Cb Response’s ability to safely communicate and take actions on endpoints, such as:

Ban MD5 Hash

Create File on Sensor

Create Watchlist

Delete File from Sensor

Isolate Sensor

Unisolate Sensor

Kill Process by Sensor

Retrieve All Processes on a Sensor

Retrieve File by MD5

Retrieve File Info by Search

Retrieve File from Sensor

Retrieve Process Info by Search

Retrieve Sensor By ID

Retrieve Watchlist by ID

Retrieve Watchlist by Name

Update Watchlist by ID

Integrating ThreatConnect and Carbon Black enables analysts to organize their threat indicators as well as proactively hunt for past and present threats across their organization. With the addition of the Playbook Apps, immediate actions can be taken to stop and remediate potential threats at the endpoint based on external threat intelligence.

Together, ThreatConnect and Carbon Black provide a complete solution for SOC teams that enables them to detect threats and perform remediation quickly and precisely by utilizing tools that communicate with each other.

Carbon Black is the leading provider of next-generation endpoint security. Carbon Black’s Next-Generation Antivirus (NGAV) solution, Cb Defense, leverages breakthrough prevention technology, “Streaming Prevention,” to instantly see and stop cyberattacks before they execute. Cb Defense uniquely combines breakthrough prevention with market-leading detection and response into a single, lightweight agent delivered through the cloud. With more than 7 million endpoints under management, Carbon Black has more than 2,500 customers, including 30 of the Fortune 100. These customers use Carbon Black to replace legacy antivirus, lock down critical systems, hunt threats, and protect their endpoints from the most advanced cyberattacks, including non-malware attacks.

Promoted Content

15-Day Free Trial of NGAV + EDR in the Cloud

Compare Cb Defense to your current solution using real world scenarios, and see how operations transform across your security and IT teams. After you’ve finished the trial, you’ll have everything you need to build a business case and make the switch.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.